The news coming out of Hackmageddon, that January reported an unusually low number of Attack Techniques", was quite disturbing. Did the security industry really manage to get the upper hand? Wait for it...oh, here comes another devastating vulnerability!

I recently read an interesting blog post on an ADC vendor’s site that demonstrates a Rube Goldberg approach to showing common SSL information. Now I won’t name names but I will admit that it inspired me to write a quick blog post to show the business-ready alternative to the science project approach!

I recently came across a SaaS company that required support for Perfect Forward Secrecy (PFS) for better SSL security. They bought 4 pairs of [redacted] ADC / load balancers from a proprietary hardware vendor to perform the SSL PFS termination. At first glance, this seems like a safe, logical decision. Just like real estate was a safe and conservative investment strategy in 2006 before the bubble burst, or .com stocks in 2000 right before the stock market's implosion.

I’m pretty certain that whoever first uttered the phrase “anything easy isn't worth having” was no IT administrator. This certainty derives from the seemingly path-of-least-resistance attitude that many enterprises hold when it comes to enforcing stringent levels of encryption security for public infrastructure including their websites. We’ve previously blogged on the excuses many enterprises make for their lax encryption practices, but it’s worth examining what I believe is the primary culprit for this: lack of visibility and insights into their security profiles.

The cold truth:You are rarely secure when you connect to an SSL encrypted web site. The browser shows a happy little lock icon, and you think nothing further on the subject.But recent revelations and exploits, such as NSA, nation states and others scooping up vast quantities of Internet data, courts ordering websites to give up their SSL keys, Heartbleed leaking session data, have proven that we need to revisit the level of security used by web sites.

As some of you may be aware, a major security breach was reported at a well-known multinational company - we'll refer to them as Company X - on November 24, 2014. In the breach, their servers’ private keys and SSH keys were stolen. Among others, using the stolen keys, the attacker(s) can attempt to decrypt confidential data they may have collected in the past. This thought and my professional instinct led me to take a close look at some of their secure websites.